Token based Authentication for WCF HTTP/REST Services: Authorization
- by Your DisplayName here!
In the previous post
I showed how token based authentication can be implemented for WCF HTTP based services.
Authentication is the process of finding out who the user is – this includes anonymous
users. Then it is up to the service to decide under which circumstances the client
has access to the service as a whole or individual operations. This is called authorization.
By default – my framework does not allow anonymous users and will deny access right
in the service authorization manager. You can however turn anonymous access on – that
means technically, that instead of denying access, an anonymous principal is placed
on Thread.CurrentPrincipal. You can flip that switch in the configuration
class that you can pass into the service host/factory.
var configuration
= new WebTokenWebServiceHostConfiguration
{
AllowAnonymousAccess = true
};
But this is not enough, in addition you also need to decorate the individual operations
to allow anonymous access as well, e.g.:
[AllowAnonymousAccess]
public string GetInfo()
{
...
}
Inside these operations you might have an authenticated or an anonymous principal
on Thread.CurrentPrincipal, and it is up to your code to decide what to do.
Side note: Being a security guy, I like this opt-in approach to anonymous
access much better that all those opt-out approaches out there (like the Authorize attribute
– or this.).
Claims-based Authorization
Since there is a ClaimsPrincipal available, you can use the standard
WIF claims authorization manager infrastructure – either declaratively via ClaimsPrincipalPermission or
programmatically (see also here).
[ClaimsPrincipalPermission(SecurityAction.Demand,
Resource = "Claims",
Operation = "View")]
public ViewClaims GetClientIdentity()
{
return new ServiceLogic().GetClaims();
}
In addition you can also turn off per-request authorization (see here for
background) via the config and just use the “domain specific” instrumentation.
While the code is not 100% done – you can download the current solution here.
HTH
(Wanna learn more about federation, WIF, claims, tokens etc.? Click here.)
